I have a client for which I use webform to allow people to apply for employment positions. when I allow users to attach their resume's to the form submission, everything works fine, until HR tries to access the resume file attachment via the emailed link or the link in the submission results for the form.

What is happening is that drupal is swapping spaces in the url for the encoded value of %20, but the line 586 of components/file.inc is setting the url value differently...

Something tells me this is going to fix it in one place but break it in another. I bet this will make links in e-mails work (since they're plain text) but break it when the submission is viewed in a web browser.

So it looks to me like we're doing the right thing if the file is a public file, but the double-encoding would only happen if you have the private file system enabled (admin/settings/file-system). Public files are not escaped but private files are run through url(), which ultimately calls drupal_encodeurl().

Considering many more users use public files than private files (and with good reason, private files are really, really slow), I think it's a good idea to hold-off on this change. If we can come up with a universal solution I'd be happy to hear it, but for now I think I'd recommend any of the following:

- Install the transliteration.module, which will make safe-names for your uploaded files and prevent this situation.
- Use public files instead of private files.